I am considering a wicket application with multiple tenants: All tenants have the same functionality and use the same code but data is separated. Especially authentication is separated. Each tenant has one separate name space:
- http://tenant1.mywicketapplication.com/somepage/...
- http://tenant2.mywicketapplication.com/somepage/...
This might not be handled in wicket (but needs some mapping on the web server level). Hence the name spaces may look like that:
- ...//mywicketapplication.com/tenant1/somepage/...
- ...//mywicketapplication.com/tenant2/somepage/...
Now I need to prevent that a user that was authenticated for tenant1 may access tenant2. I could store the tenant specific url part (here "tenant1") in the session and check for each page whether it maches the stored url part. The drawback is that this architecture is not very secure since this check may be forgotten for each new page (yes - that would be a bug...). A stronger solution would have a single point to check it. It would be great to check that in the security layer, e.g. within "Wicket Auth/Roles".
So my question: Where can I check whether a request requires a new session or is mapped to an existing session? Are there already concepts or hooks in Wicket for multiple tenants? What is your experience?